Internet X.509 Public Key Infrastructure: Additional Algorithms and Identifiers for DSA and ECDSA

Dang, Quynh H.; Santesson, Stefan; Moriarty, Kathleen; Brown, Daniel R. L.; Polk, Tim

doi:10.17487/rfc5758

Cited by 12 publications

(14 citation statements)

References 4 publications

(5 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…First, consider the signatureValue field in the Certificate ADT. Despite the X.509 standard is typing this field as a primitive BIT STRING, some standardized signature algorithms require it to be a constructed field (e.g., the DSA and ECDSA cryptographic primitives [38,10]), in turn giving way to an ambiguity in its interpretation. The same kind of issue arises in SubjectPublicKeyInfo field in TBSCertificate ADT.…”

Section: Context-sensitivenessmentioning

confidence: 99%

“…Concerning the issue of the extnValue field, we choose to eliminate the ambiguity relying on the fact that the standards define the contents of the constructed type binding it to a specific OID: this in turn allows to parse unambiguously an ADT instance. Concerning the BIT STRING fields, we eliminate the parsing ambiguity recognizing them as constructed or primitive types according to the individual cryptographic primitive needs as specified in the standards [37,19,26,10,38]. Such an approach will indeed pick only a single way of interpreting the data contained in the field, preventing security critical parsing issues such as the ones in [2].…”

Section: Coping With Undecidability Context Sensitiveness and Ambiguitymentioning

confidence: 99%

See 1 more Smart Citation

Systematic parsing of X.509: Eradicating security issues with a parse tree

Barenghi

Mainardi

Pelosi

2018

JCS

View full text Add to dashboard Cite

X.509 certificate parsing and validation is a critical task which has shown consistent lack of effectiveness, with practical attacks being reported with a steady rate during the last 10 years. In this work we analyze the X.509 standard and provide a grammar description of it amenable to the automated generation of a parser with strong termination guarantees, providing unambiguous input parsing. We report the results of analyzing a 11M X.509 certificate dump of the HTTPS servers running on the entire IPv4 space, showing that 21.5% of the certificates in use are syntactically invalid. We compare the results of our parsing against 7 widely used TLS libraries showing that 631k to 1, 156k syntactically incorrect certificates are deemed valid by them (5.7%-10.5%), including instances with security critical mis-parsings. We prove the criticality of such mis-parsing exploiting one of the syntactic flaws found in existing certificates to perform an impersonation attack.SYSTEMATIC PARSING OF X.509 -DECEMBER 13, 2018 against the X.509 certificate validation have been pointed out for the last 10 years, leading to effective impersonations against TLS/SSL enabled software.Some among the most renown security issues involve certificates which are deemed valid to be binding a public key to the identity of a Certification Authority (CA), while such an information is contradicted either by the values contained in the certificate [29] or by misinterpretations in the subject name contained in it [30], both leading to effective impersonation of an arbitrary identity. More recently, in [23] it was shown that inconsistent validations were performed by different TLS libraries, due to integer overflows in the recognition of some X.509 certificate fields, providing ground for attacks. Broken certificates are common even among the Alexa top 1M visited sites [39], and the diversity in the Application Program Interface (API) exposed by the existing TLS/SSL libraries was proven a further source of security issues [16]. The latest among the reported issues on X.509 validation shows that, due to a misinterpretation issue of the encoding, it was effectively possible to get certificates with forged signatures accepted [12,11].An interesting point to be noted is that all the aforementioned issues do not stem from a cryptographic vulnerability of the employed primitives, but rather from a non systematic approach to the syntactic recognition of the certificate. Indeed, mainly due to the high complexity of the data format, no methodical approach at content format recognition and syntactic verification, i.e., parsing, has been either proposed or employed in the use of existing X.509 digital certificates. All the existing available implementations dealing with X.509 certificates employ ad-hoc handcrafted code to parse the certificate contents, in turn resulting in software artifacts which are difficult to test for correctness. A practical validation of such issue is reported in [7] where the authors employed a tool to generate pseudo-random X.509 certif...

show abstract

Section: Context-sensitivenessmentioning

confidence: 99%

Section: Coping With Undecidability Context Sensitiveness and Ambiguitymentioning

confidence: 99%

Systematic parsing of X.509: Eradicating security issues with a parse tree

Barenghi

Mainardi

Pelosi

2018

JCS

View full text Add to dashboard Cite

show abstract

“…It builds on the Cryptographic Message Syntax [24][25][26] from PKCS #7 and presumes authenticated distribution of public keys through a X.509 hierarchical PKI. Supported signature algorithms include RSA (PKCS #1 v1.5 [5] and RSA-PSS [42]), DSA and ECDSA (based on SHA-1 or SHA-2, see [5,15]), and a form of the GOST signature scheme [31].…”

Section: S/mimementioning

confidence: 99%

Linkable message tagging: solving the key distribution problem of signature schemes

Günther

Poettering

2016

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Abstract. Digital signatures are one of the most extensively used cryptographic primitives today. It is well-understood that they guarantee practical security only if the corresponding verification keys are distributed authentically; however, arguably, satisfying solutions for the latter haven't been found yet, or at least aren't in large-scale deployment. This paper introduces a novel approach for cryptographic message authentication where this problem does not arise: A linkable message tagging scheme (LMT) identifies pairs of messages and accompanying authentication tags as related if and only if these tags were created using the same secret key. In other words, in contrast to signature schemes, our primitive does not aim at detecting whether individually considered messages originate from an explicitly specified entity, but instead decides whether all messages from a given collection originate from the same (possibly anonymous) source. The appealing consequence is that our primitive fully avoids public keys and hence elegantly sidesteps the key distribution problem of signature schemes. As an interesting application of LMT we envision an email authentication system with minimal user interaction. Email clients could routinely generate a secret LMT key upon their first invocation, and then equip all outgoing messages with corresponding tags. On the receiver's side, client software could automatically verify for incoming messages whether they indeed originate from the same entity as previously or subsequently received messages with identical sender address. Although this form of authentication does not provide as strong guarantees of message's origin as signature schemes would do, we do believe that trading the apparently discouraging obstacles implied by the authentic distribution of signature verification keys for the assumption that an attacker does not forge every message exchanged between parties is quite attractive. As technical contributions we formalize the notions of LMT and its (more efficient) variant CMT (classifiable message tagging), including corresponding notions of unforgeability. For both variants we propose a range of provably secure constructions, basing on different hardness assumptions, with and without requiring random oracles.

show abstract

“…For that purpose, we make use of ECC-based certificates [20] that have been standardized by IETE as PKIX-X.509, which is almost similar to X.509 with a main difference of using the elliptic curve digital signature algorithm (ECDSA) [21]. Figure 6 illustrates the format of the ECC-based X.509 certificate, such that we replace the public key of the user (the subject) by the corresponding attributes for the access control policy, which consist mainly of the role and the permission associated.…”

Section: Dynamic Role Assignment Using Ecc-attribute Certificatementioning

confidence: 99%